A TMP Project


11logger is a small kernel patch, a module and some userspace tool to add SIGSEGV logging and history capabilities to Linux 2.2.x

11logger can be useful in security auditing and general debugging. The tiny kernel patch implements a kernel hook, while the work is done into the kernel module. The output in human readable format is generated by a userspace program. The goal of this modularity is to avoid the need to patch the kernel every time a new 11logger version will be released. You (hopefully) should patch the kernel once for every new kernel.


In the format string and buffer overflow bugs era this patch can be used for security purpose: the attacker may fail trying to exploit some vulnerability leaving some track even if core dumping is disabled. It is proved that security vulnerability like buffer overflows may be hard to found, and the attacker may have audited the code without to release any advisory. 11logger can give you some chance to discover attacks against programs that aren't belived vulnerable. Many services come back after segfault (think at inetd and concurrent servers), after some retry the attacker may find the correct offset and crack into your system: use some reliable logging system in replacement to the standard syslog with 11logger. Obviously if the attacker guess the right paramenters the first time, you are cracked, and 11logger will not log any information. See the readme for more information.


The current version of 11logger is 0.1.3. Get the source code for linux 2.2 here.
Warning, to upgrade from 0.1.2 to 0.1.3 you need to install the new kernel patch.
Anyway this should be the definitive kernel patch.

Changes since 0.1.2

Many good sigsegv,

Salvatore Sanfilippo <antirez@linuxcare.com>
The look of this page was taken from the Mathopd page